Skip to content
Test

Inspect source code for security issues #410

Sign in to view logs

Inspect source code for security issues

Inspect source code for security issues #410

Workflow file for this run

.github/workflows/test.yml at 7ae9471
name: Test
on:
pull_request:
paths:
- '.github/workflows/test.yml'
- 'cmd/**'
- 'pkg/**'
- 'test/**'
- 'go.mod'
- 'go.sum'
- 'makefile'
- '!**/*.md'
push:
branches: [ main ]
workflow_call:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Declare default permissions as read only.
permissions: read-all
jobs:
lint:
name: Lint
timeout-minutes: 10
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with:
version: latest
format:
name: Format
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit
- name: Check out repository code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install Go
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version-file: go.mod
check-latest: true
- name: Check formatting
run: |
make format-check
gosec:
runs-on: ubuntu-latest
env:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run Gosec Security Scanner
uses: securego/gosec@e0cca6fe95306b7e7790d6f1bf6a7bec6d622459 # v2.22.0
with:
args: '-severity high -exclude-dir=test ./...'
vulnerability-check:
name: "Vulnerability check"
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit
- name: Scan for Vulnerabilities
uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
with:
go-version-file: go.mod
check-latest: true
go-package: ./...
test:
strategy:
matrix:
platform: [ubuntu-latest, windows-latest, macos-latest]
include:
- platform: ubuntu-latest
target: linux
- platform: windows-latest
target: windows
- platform: macos-latest
target: darwin
name: 'Test (${{ matrix.target }})'
runs-on: ${{ matrix.platform }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit
- name: Check out repository code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install Go
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version-file: go.mod
check-latest: true
- name: Install go-junit-report
run: go install github.com/jstemmer/go-junit-report/v2@latest
- name: Unit testing
run: |
mkdir -p build
go test -v ./... > build/cbuild2cmaketests-${{ matrix.target }}-amd64.txt
- name: Generate JUnit test report
if: always()
run: |
go-junit-report -set-exit-code -in build/cbuild2cmaketests-${{ matrix.target }}-amd64.txt -iocopy -out build/cbuild2cmake-testreport-${{ matrix.target }}-amd64.xml
- name: Install qemu (for Linux-Arm64)
if: ${{ startsWith(runner.os, 'Linux') }}
run: |
sudo apt update
sudo apt-get install -y \
gcc-aarch64-linux-gnu \
g++-aarch64-linux-gnu \
qemu-user-binfmt
- name: Unit testing (for Linux-Arm64)
if: ${{ startsWith(runner.os, 'Linux') && always() }}
run: |
GOOS=linux GOARCH=arm64 go test -v ./... > build/cbuild2cmaketests-${{ matrix.target }}-arm64.txt
- name: Generate JUnit test report (for Linux-Arm64)
if: ${{ startsWith(runner.os, 'Linux') && always() }}
run: |
go-junit-report -set-exit-code -in build/cbuild2cmaketests-${{ matrix.target }}-arm64.txt -iocopy -out build/cbuild2cmake-testreport-${{ matrix.target }}-arm64.xml
- name: Archive unit test results
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: test-results-${{ matrix.target }}
path: ./build/cbuild2cmake-testreport-*.xml
if-no-files-found: error
publish-test-results:
if: ${{ github.workflow != 'Release' }}
name: "Publish Tests Results"
needs: [ test ]
runs-on: ubuntu-latest
permissions:
checks: write
pull-requests: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit
- name: Download Artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: artifacts
- name: publish test results
uses: EnricoMi/publish-unit-test-result-action@170bf24d20d201b842d7a52403b73ed297e6645b # v2.18.0
with:
files: "artifacts/**/cbuild2cmake-testreport-*.xml"
report_individual_runs: true
coverage:
if: ${{ github.workflow != 'Release' && github.repository == 'Open-CMSIS-Pack/cbuild2cmake' }}
needs: [ test ]
name: 'Coverage check'
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit
- name: Check out repository code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install Go
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version-file: go.mod
check-latest: true
- name: Check coverage
run: |
make coverage-check
- name: Publish coverage report to Code Climate
if: ${{ github.event.pull_request.head.repo.fork == false }}
uses: paambaati/codeclimate-action@f429536ee076d758a24705203199548125a28ca7 # v9.0.0
env:
CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
with:
debug: true
coverageLocations: ./build/cover.out:gocov
prefix: github.com/Open-CMSIS-Pack/cbuild2cmake